monitors:sslname.sh

Error loading plugin struct
ParseError: syntax error, unexpected 'fn' (T_STRING), expecting :: (T_PAAMAYIM_NEKUDOTAYIM)
More info is available in the error log.

This is an old revision of the document!


SSL certificate name match monitor

Author jccleaver
Compatibility Xymon 4.2.3
Requirements perl, unix
Download None
Last Update 2010-08-02

Originating thread here: http://www.xymon.com/archive/2010/06/msg00148.html

A small script that checks “sslcert” tests and tries to verify that the common name (“CN=”) in the resulting ssl certificate matches the URL that we tried to reach (eg, https://secure.example.com/) It reports the status under a new test name, “sslname”. Wildcard certificates are taken into account, since we're matching using extended grep.

Client side

No change needed.

Server side

1. Copy the script into the ext/ directory (or wherever you're storing external scripts) and edit hobbitlaunch.cfg file by adding a new block:

# "sslname" runs the ssl certificate checker to verify that sslcert test results match
# the URL we tried to access
# 

[sslname]
        ENVFILE /etc/xymon/hobbitserver.cfg
        NEEDS hobbitd
        CMD /etc/xymon/ext/sslname.sh
        LOGFILE /var/log/xymon/sslname.log

Show Code ⇲

Hide Code ⇱

sslname.sh
#!/bin/sh
 
# sslname.sh
# 
# Retrieve a list of all "sslcert" tests, which come out of any SSL-enabled
# check Xymon does using a built-in (probably https, but also things like imaps)
# 
# After getting this list, we go through each one looking for the common-
# name that the certificate responded with, verifying that it matched the
# url we were trying to reach in the originating test. Normally this means
# the address for the http test, but it could be just the hostname in the event
# of another SSL service.
# 
# Japheth Cleaver <jcleaver@soe.sony.com>
# No warranty. YMMV. Use at your own risk. This is not supported by my employer.
# 
 
 
# Set some defaults - I'm running this from hobbitlaunch, YMMV
 [ -z "$TESTNAME" ] 	&& TESTNAME=sslname
 [ -z "$BBDISP" ] 	&& BBDISP=0.0.0.0
 [ -z "$COLOR" ] 	&& COLOR="clear"
 [ -z "$BB" ] 		&& BB=/usr/bin/bb
 
 
# Get a list of all valid sslcert tests
 SSLHOSTS="`$BB $BBDISP \"hobbitdboard test=sslcert fields=hostname\"`"
 [ -z "$SSLHOSTS" ] && exit 0
 
 
# Loop over them and compare the common name with any URL we can find
 for THISHOST in $SSLHOSTS ; do
 
   # Return the details of this host's sslcert data, unescaping on the way
    SSLDATA="`$BB $BBDISP \"hobbitdboard host=^$THISHOST test=sslcert fields=hostname,msg\" | perl -pe 's/&gt;/>/g, s/&lt;/</g, s/&amp;/&/g;' -e 's/\\\n/\n/g;'`"
 
   # Find the common name...
    COMMONNAME="`echo \"$SSLDATA\" | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/'`"
    if [ -z "$COMMONNAME" ] ; then
	echo "Couldn't find a 'common name' for $THISHOST..." >&2
	continue
    fi
    # echo " -- Common name for $THISHOST is '$COMMONNAME'"
 
 
   # Isolate what hostname we were trying to access and store as URL,
   # if found. The HUMANURL is the full string, including any port number
    URL="`echo \"$SSLDATA\" | grep -c https://`"
    if [ $URL -eq 1 ] ; then
	# Great, a simple https address to look at
   	URL="`echo \"$SSLDATA\" | grep https:// | perl -pe 's#^.*https://([\w\.\-]+)(:\d+)?/.*$#\1#'`"
   	HUMANURL="`echo \"$SSLDATA\" | grep https:// | perl -pe 's#^.*(https://[\w\.\-]+(:\d+)?/).*$#\1#'`"
    else
	URL=$THISHOST
	HUMANURL=$THISHOST
    fi
 
 
   # Build our Xymon report
    if [ "`echo $URL | grep -cE $COMMONNAME`" -eq 1 ] ; then
	STATUS="SSL cert ok"
	COLOR="green"
	BODY="&green $HUMANURL matches certificate $COMMONNAME"
 
    else
	STATUS="SSL cert name MISMATCH"
	COLOR="red"
	BODY="&red $HUMANURL does NOT match certificate $COMMONNAME
 
<A HREF=\"$BBWEBHOST$BBSERVERCGIURL/bb-hostsvc.sh?HOST=$THISHOST&SERVICE=sslcert\">See 'sslcert' test results</A>"
 
    fi
 
   # Send results to Xymon
    THISCOMMA="`echo $THISHOST | sed -e 's/\./,/g'`"
    ## echo "$BODY" | $BB $BBDISP --both "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS}"
    $BB $BBDISP "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS}
$BODY"
 
done
 
 
# fin
exit 0

This is targeted mainly at https:// tests; YMMV with “sslcert” results from other types of tests (imaps, smtps, pop3s, etc).

Suggestions?

  • 2010-08-02
    • Initial public release
  • monitors/sslname.sh.1321526127.txt.gz
  • Last modified: 2015/11/10 03:54
  • (external edit)